headers
Tomas Gustavsson | 8 Dec 14:17
Picon

patch for single sign-on using SSL client certificates


Hi, we are using SSL with client certificate authentication to all our 
web-pages. Naturally using this one would like to authenticate the users with 
the certificate instead of username/password. So I hacked up a small patch to 
snipsnap that will grab the username from the authenticated certificate and use 
that. The user still has to be registered as a snipsnap user off-course, but 
he/she is automagically logged in when going to snipsnap.

The essence of my patch in DefaultSessionService is below.

Is the snipsnap authors/community interested in such a patch in the real 
snipsnap distribution?

Cheers,
Tomas

     /**
    * Get user from session or cookie.
    */
   public User getUser(HttpServletRequest request, HttpServletResponse response) {
     HttpSession session = request.getSession();
     User user = (User) session.getAttribute(ATT_USER);
     String appOid = (String)Application.get().getObject(Application.OID);
     if (null != user && !appOid.equals(user.getApplication())) {
       user = null;
     }
     if (user == null) {
	    // Part for authenticating users with X509Certificates. If the user have a 
trusted client certificate
	    // he can get access to the server. Since the certificate is trusted 
already, by java/jsse, we don't
	    // have to verify it here.
	    // If the CA puts the users uid in the DN we can use that as login.
	
	    // Check if we have a user in the certificate authentication
	    X509Certificate[] certs = 
(X509Certificate[])request.getAttribute("javax.servlet.request.X509Certificate");
	    if (certs != null) {
		    X509Certificate clientCert = certs[0];
		    if (clientCert != null) {
			    // Get the Distinguised Name for the user.
			    java.security.Principal userDN = clientCert.getSubjectDN();
			    String dn = userDN.toString();
			    // Get uid, which is the username we will use
			    String uid = getPartFromDN(dn, "UID");
			    // construct user class
			    user = ((AuthenticationService) 
Components.getComponent(AuthenticationService.class)).authenticate(uid);
			    user.setApplication((String)Application.get().getObject(Application.OID));
		    }
	    }
     }
     if (null == user) {
       Cookie cookie = getCookie(request, COOKIE_NAME);
Permalink | Reply |

Gmane